Are gaming consoles any more private than gaming on a computer?

This morning I thought of something: are gaming consoles more private than computer gaming? My reasoning is that while console manufacturers are collecting data, it’s compartmentalized from the rest of your digital activity.

Let me know what you think.

It highly depends. Depends on what game launcher/store you are using, what games you are playing, what console you got, your opsec, etc.

2 Likes

When I thought about it, I considered email: I use a desktop email client, and in theory, any gaming software would have more access to that than a dedicated gaming device. Also, think of how many overly invasive anticheats there are.

Disclaimer: I don’t own an Xbox.

If you’re signed into your Xbox account on your console, that is literally also a Microsoft account. If you use that Microsoft account for other facets of your life, then your gaming data and personal data will be tied via that account. Not a big deal for me, but something to consider.

I don’t think it’s the same problem for PlayStation or Switch.

The thing is, you can’t really generalize that.
First things off, Consoles are mostly locked in eco-systems, you don’t really got much freedom or choice when using a console, nor can you tweak much. So whatever the brands decide to do/enforce you will need to live with it, everything is closed source etc.
On the other hand on computer you got the free choice of your desktop-OS which can be fully open source like Linux or which is currently still the best for gaming, Windows. For Windows you need to go along with what Windows tracks/collects of you or try to turn that off. That’s about the main differences (so in general i would consider computers more private), the thing is … just looking at that doesn’t mean much, because at this point you still haven’t played any game yet. And here it also highly depends on what you play.
You can play open source single player games where very likely no data collection happens whatsoever, or you can play multiplayer FPS games like Valorant which require anti-cheat software directly installed into your systems kernel with higher privileges that you got on your machine. Most of the games are closed source anyways. In pretty much any game no matter what platform (most of them being closed source) data collection will happen even by the fact that it’s so important for bug fixes, performance optimization etc.
Some FPS multiplayer games with competitive modes also starting to require having valid email + phone numbers linked to the account to counter cheater/hacker etc.
Also as @mazer already said, different game launchers can also have different levels of privacy. As bad example i wanna take EpicGames, their client being completely closed source, portions of it are owned by Tencent. Some better one might be the GOG Galaxy launcher.

4 Likes

Some people here are already making some great points. I just wanted to add I don’t trust the mic on the PS5 controller lol

Yeah, ideally you would physically disconnect or short out any microphone built-in to the console or controller and use an external microphone with hardware push-to-talk (or at least a hardware mute switch).

As someone who has a Sony/Playstation account, I really don’t think it’s more private.

Taking a glance at the Playstation’s PP they collect a lot of data for marketing purposing, and while they say they “don’t sell to third parties” they note a “unless needed” type of thing (again for marketing).
We don’t know what the marketing companies are doing with our data so it’s a suspicious.

I don’t think either one is more private than the other because, regardless, you’re giving your information to someone.
Steam collects data, EA/Origin so on and so forth. Depending on the OS you’re using that’s going to collect data too unless you’ve hardened the OS.

Maybe the best strategy for general users is to compartmentalize? The main concern is that the data collected while gaming will be associated with an account most likely, so you may want to isolate that account from the rest of your personal life with an alias or even a standalone account (like could be the case for Xbox with a Microsoft account.) Again, this is based on your threat model if this is an area you want to cover off.

For me, I’m not so concerned with my gaming being associated with my email as much as I would be with that information being accessible to the general public. What I mean is I don’t want folks to see what I’ve been playing or things like that, so if I can turn that off somehow then I’m ok with that.

That’s not how anticheat works. Gamers can rejoice knowing those programs are only monitoring the game itself for changes in the code and licensing. They don’t need anything additional to run. It doesn’t access your filesystem or networking, that’s just nonsense.

That is how it should work. But sadly:

Well, that article seems to be heavily condemning the Korean and Chinese for gaming software and is in no way a trusted source when it comes to Ring 0 or Ring 3 exploits, or even how the kernel works in general, at a high level. But it does raise some points: the idea of a kernel exploit isn’t novel and it’s widely used today in the form of eBPF exploits by the intelligence community, and kernel exploits are common today compared to the past. You can (and there have been) programs written in eBPF that target system infrastructure at the kernel level. That said, I highly doubt it would go unnoticed for long if a program utilizing anti-cheat software, like Easy Anti-Cheat, were exfiltrating your system’s information any worse than in the way which the base game probably does.

So it’s hard to say, really. I bet that most games in the modern age that can be played on any system probably use some form of analytics related to what’s running on your computer and playing online is in no way conducive to a safe addition in your threat model from a software interaction standpoint. That’s not to say it’s what you should expect when you wish to play a game on your PC, but it’s not unreasonable to suggest it’s going on and they aren’t telling you about it. I recommend running a network monitoring software that can watch what’s going on per-program to see if there’s anything nefarious going on and any of your data is being exfiltrated to an unknown server or device.

This is a privacy and security community. We are here for the express purpose of not blindly trusting black‑box software with our data.

Today’s overly invasive anti‑cheat software is literally designed to monitor other software you have on your computer, and many widely reported false positives arise as a result. Furthermore, if they were really monitoring only the game itself, developers would not go to the trouble of blocking gameplay in a virtual machine.

Unfortunately “it’s literally designed” isn’t a good argument and I need some form of proof to that affect, just like you said; we can’t blindly trust anything, but we can’t blindly distrust it either. The whole point of a forum, honestly, is to promote discussion and technical knowledge of these things, but you’re not offering any proof to the contrary when I suggest it’s not really that nefarious. Next time you want to point out where we are, maybe you would do well to offer concrete proof. I might change my stance, but until then, no. I stand by what I said before: Anti-cheat software isn’t nefarious, at least not intentionally, and why would you be gaming in a VM anyway? Do you think regular people know how GPU pass-through works?

I’m afraid that alot of anticheat goes outside of the game and actually goes scanning files or activity outside of the game.

here are examples:

1 Like

I think there’s a balance between the views both of you express and I think it also depends on your threat model whether you will or won’t trust something depending on how little you know. At some point you have to make a judgement call based on the information available.

Both of you guys have offered great posts in other threads, so regardless I appreciate that.

1 Like

Probably. But still that is that plus a new possible vulnearbility. Kernel level antecheat just shouldn’t exist.

Sort of related to this:

I’m thinking of deleting my Microsoft account, erasing my Xbox, and signing up for Microsoft again. Would that provide any level of privacy benefit? Or am I kind of just wasting my time?

I would assume that the new account is not associated with your old account or any other parts of your life, but rather is an Xbox-only alias. I think that works for most things.

One could argue that if Microsoft can see that it’s the same Xbox as another account that played at the same IP and is playing the same games as before that you haven’t done anything, but also we don’t know if they even do that. It depends on your threat model.

I think it can be easy to imagine risks, but sometimes you have to go with what’s more likely. In my opinion, we’re talking about for-profit businesses who are taking the easy path for gathering as much data as they can because it helps their decision-making. They’re not professional spy agencies. If you try to subvert giving them data, you’re probably in the minority and they don’t care enough to “go after you.” But that’s just my opinion.

Alright well I marked my existing account for deletion, and it’s fully gone in 30 days. Should I wait the full 30 days to make a new account, or does it matter if I just sign up again now?